ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
An algebra for composing access control policies
Full text PdfPdf (384 KB)
Source ACM Transactions on Information and System Security (TISSEC) archive
Volume 5 ,  Issue 1  (February 2002) table of contents
Pages: 1 - 35  
Year of Publication: 2002
ISSN:1094-9224
Authors
Piero Bonatti  Università di Milano, Crema, Italy
Sabrina De Capitani di Vimercati  Università di Brescia, Brescia, Italy
Pierangela Samarati  Università di Milano, Crema, Italy
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 18,   Downloads (12 Months): 133,   Citation Count: 18
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues   peer to peer  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/504909.504910
What is a DOI?

ABSTRACT

Despite considerable advancements in the area of access control and authorization languages, current approaches to enforcing access control are all based on monolithic and complete specifications. This assumption is too restrictive when access control restrictions to be enforced come from the combination of different policy specifications, each possibly under the control of independent authorities, and where the specifics of some component policies may not even be known apriori. Turning individual specifications into a coherent policy to be fed into the access control system requires a nontrivial combination and translation process. This article addresses the problem of combining authorization specifications that may be independently stated, possibly in different languages and according to different policies. We propose an algebra of security policies together with its formal semantics and illustrate how to formulate complex policies in the algebra and reason about them. A translation of policy expressions into equivalent logic programs is illustrated, which provides the basis for the implementation of the algebra. The algebra's expressiveness is analyzed through a comparison with first-order logic.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
Martín Abadi , Leslie Lamport, Composing specifications, ACM Transactions on Programming Languages and Systems (TOPLAS), v.15 n.1, p.73-132, Jan. 1993  [doi>10.1145/151646.151649]
 
2
BANISAR, D. AND DAVIES, S. 1999. Privacy & Human Rights-An International Survey of Privacy Laws and Developments. EPIC.
3
Elisa Bertino , Sushil Jajodia , Pierangela Samarati, A flexible authorization mechanism for relational data management systems, ACM Transactions on Information Systems (TOIS), v.17 n.2, p.101-140, April 1999  [doi>10.1145/306686.306687]
4
Piero Bonatti , Sabrina de Capitani di Vimercati , Pierangela Samarati, A modular approach to composing access control policies, Proceedings of the 7th ACM conference on Computer and communications security, p.164-173, November 01-04, 2000, Athens, Greece  [doi>10.1145/352600.352623]
 
5
Ernesto Damiani , Sabrina de Capitani di Vimercati , Stefano Paraboschi , Pierangela Samarati, Design and implementation of an access control processor for XML documents, Proceedings of the 9th international World Wide Web conference on Computer networks : the international journal of computer and telecommunications netowrking, p.59-75, June 2000, Amsterdam, The Netherlands
 
6
GELFOND, M. AND LIFSCHITZ, V. 1988. The stable model semantics for logic programming. In Proceedings of the International Conference on Logic Programming (ICLP'88), MITPress, Cambridge, Mass., 1070-1080.
 
7
HOSMER, H. 1992. The multipolicy paradigm. In Proceedings of the Fifteenth National Computer Security Conference (Baltimore, Oct.), 409-422.
 
8
Trent Jaeger, Access control in configurable systems, Secure Internet programming: security issues for mobile and distributed objects, Springer-Verlag, London, 2001
9
Sushil Jajodia , Pierangela Samarati , Maria Luisa Sapino , V. S. Subrahmanian, Flexible support for multiple access control policies, ACM Transactions on Database Systems (TODS), v.26 n.2, p.214-260, June 2001  [doi>10.1145/383891.383894]
 
10
Paris C. Kanellakis, Elements of relational database theory, Handbook of theoretical computer science (vol. B): formal models and semantics, MIT Press, Cambridge, MA, 1991
11
Carl E. Landwehr, Formal Models for Computer Security, ACM Computing Surveys (CSUR), v.13 n.3, p.247-278, Sept. 1981  [doi>10.1145/356850.356852]
 
12
Ninghui Li , Joan Feigenbaum , Benjamin N. Grosof, A Logic-based Knowledge Representation for Authorization with Delegation, Proceedings of the 1999 IEEE Computer Security Foundations Workshop, p.162, June 28-30, 1999
 
13
Vladimir Lifschitz , Hudson Turner, Splitting a logic program, Proceedings of the eleventh international conference on Logic programming, p.23-37, August 1994
 
14
J. W. Lloyd, Foundations of logic programming, Springer-Verlag New York, Inc., New York, NY, 1984
 
15
LUNT, T. 1989. Access control policies for database systems. In Database Security II: Status and Prospects, C. Landwehr, Ed., North-Holland, Amsterdam, The Netherlands, 41-52.
16
Fausto Rabitti , Elisa Bertino , Won Kim , Darrell Woelk, A model of authorization for next-generation database systems, ACM Transactions on Database Systems (TODS), v.16 n.1, p.88-131, March 1991  [doi>10.1145/103140.103144]
 
17
SAGONAS, K., SWIFT, T., WARREN, D., FREIRE, J., AND RAO, P. 2000. The XSB programmer's manual, version 2.2. http://xsb.sourceforge.net.
 
18
Ravi S. Sandhu, Lattice-Based Access Control Models, Computer, v.26 n.11, p.9-19, November 1993  [doi>10.1109/2.241422]
19
HongHai Shen , Prasun Dewan, Access control for collaborative environments, Proceedings of the 1992 ACM conference on Computer-supported cooperative work, p.51-58, November 01-04, 1992, Toronto, Ontario, Canada  [doi>10.1145/143457.143461]
 
20
STERLING, L. AND SHAPIRO, E. 1997. The Art of Prolog. MIT Press, Cambridge, Mass.
 
21
SUBRAHMANIAN, V., ADALI, S., BRINK, A., EMERY, R., LU, J., RAJPUT, A., ROGERS, T., ROSS, R., AND WARD, C. 1997. Hermes: Heterogeneous reasoning and mediator system. http://www.cs.umd.edu/projects/ hermes/publications/abstracts/hermes.html.
 
22
WOO, T. AND LAM, S. 1993. Authorizations in distributed systems: A new approach. J. Comput. Sec. 2, 2,3, 107-136.

CITED BY  18
 
M. Coetzee , Jan H. P. Eloff, Virtual enterprise access control requirements, Proceedings of the 2003 annual research conference of the South African institute of computer scientists and information technologists on Enablement through technology, p.285-294, September 17-19, 2003
 
Basit Shafiq , James B. D. Joshi , Elisa Bertino , Arif Ghafoor, Secure Interoperation in a Multidomain Environment Employing RBAC Policies, IEEE Transactions on Knowledge and Data Engineering, v.17 n.11, p.1557-1577, November 2005
Rafae Bhatti , Basit Shafiq , Elisa Bertino , Arif Ghafoor , James B. D. Joshi, X-gtrbac admin: A decentralized administration model for enterprise-wide access control, ACM Transactions on Information and System Security (TISSEC), v.8 n.4, p.388-423, November 2005
 
David W. Marsh , Rusty O. Baldwin , Barry E. Mullins , Robert F. Mills , Michael R. Grimaila, A security policy language for wireless sensor networks, Journal of Systems and Software, v.82 n.1, p.101-111, January, 2009
François Siewe , Antonio Cau , Hussein Zedan, A compositional framework for access control policies enforcement, Proceedings of the 2003 ACM workshop on Formal methods in security engineering, p.32-42, October 30, 2003, Washington, D.C.
 
Audun Jøsang , Dieter Gollmann , Richard Au, A method for access authorisation through delegation networks, Proceedings of the 2006 Australasian workshops on Grid computing and e-research, p.165-174, January 16-19, 2006, Hobart, Tasmania, Australia
 
Xinyu Wang , Jianling Sun , Xiaohu Yang , Chao Huang , Di Wu, Security Violation Detection for RBAC Based Interoperation in Distributed Environment, IEICE - Transactions on Information and Systems, v.E91-D n.5, p.1447-1456, May 2008
 
Jong P. Yoon, Presto Authorization: A Bitmap Indexing Scheme for High-Speed Access Control to XML Documents, IEEE Transactions on Knowledge and Data Engineering, v.18 n.7, p.971-987, July 2006
Ninghui Li , Qihua Wang, Beyond separation of duty: an algebra for specifying high-level security policies, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
Qun Ni , Elisa Bertino , Jorge Lobo, D-algebra for composing access control policy decisions, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, March 10-12, 2009, Sydney, Australia
Joachim Biskup , Sandra Wortmann, Towards a credential-based implementation of compound access control policies, Proceedings of the ninth ACM symposium on Access control models and technologies, June 02-04, 2004, Yorktown Heights, New York, USA
Glenn Bruns , Daniel S Dantas , Michael Huth, A simple and expressive semantic framework for policy composition in access control, Proceedings of the 2007 ACM workshop on Formal methods in security engineering, p.12-21, November 02-02, 2007, Fairfax, Virginia, USA
 
Abhilasha Bhargav-Spantzel , Jan Camenisch , Thomas Gross , Dieter Sommer, User centricity: A taxonomy and open issues, Journal of Computer Security, v.15 n.5, p.493-527, October 2007
Ninghui Li , Qihua Wang, Beyond separation of duty: An algebra for specifying high-level security policies, Journal of the ACM (JACM), v.55 n.3, p.1-46, July 2008
Radha Jagadeesan , Will Marrero , Corin Pitcher , Vijay Saraswat, Timed constraint programming: a declarative approach to usage control, Proceedings of the 7th ACM SIGPLAN international conference on Principles and practice of declarative programming, p.164-175, July 11-13, 2005, Lisbon, Portugal
Jay Ligatti , Lujo Bauer , David Walker, Run-Time Enforcement of Nonsafety Policies, ACM Transactions on Information and System Security (TISSEC), v.12 n.3, p.1-41, January 2009
Clara Bertolissi , Maribel Fernández, A rewriting framework for the composition of access control policies, Proceedings of the 10th international ACM SIGPLAN conference on Principles and practice of declarative programming, July 15-17, 2008, Valencia, Spain
Steve Barker , Marek J. Sergot , Duminda Wijesekera, Status-Based Access Control, ACM Transactions on Information and System Security (TISSEC), v.12 n.1, p.1-47, October 2008

INDEX TERMS

Primary Classification:
  H. Information Systems
  H.2 DATABASE MANAGEMENT
      H.2.7 Database Administration
          Subjects: Security, integrity, and protection

Additional Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)


General Terms:
Design, Security


Keywords:
Access control, algebra, logic programs, policy composition

Collaborative Colleagues:
Piero Bonatti: colleagues
Sabrina De Capitani di Vimercati: colleagues
Pierangela Samarati: colleagues

Peer to Peer - Readers of this Article have also read:

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player